Skip to content

Init systems

mviereck edited this page Feb 15, 2022 · 11 revisions

Init in docker container

x11docker provides option --init to specify the init system (PID 1) in container. Init in container solves the zombie reaping issue.

As default x11docker uses tini that is mostly shipped with docker as /usr/bin/docker-init. tini already serves the most important purposes.

Init systems runit, openrc and sysvinit degrade container isolation a bit. systemd degrades container isolation a lot. Especially user switching in container will be allowed.

  • Look at Dependencies in image for --init=systemd|sysvinit|openrc|runit.

  • A few applications depend on DBus in container. A user session daemon only can be started with --dbus independend from --init. A DBus system daemon is started along with --init=systemd|openrc|runit|sysvinit.

  • A few applications depend on systemd-logind that is only available with systemd. A possible replacement is elogind started with one of --init=openrc|runit|sysvinit.

tini

--init, --init=tini: Default of x11docker.

  • Uses /usr/bin/docker-init from host. In fact it is tini.
  • On some distributions /usr/bin/docker-init is missing in docker package. Compare #23. To provide a replacement, download tini-static from https://github.com/krallin/tini and store it at one of following locations:
    • ~/local/share/x11docker
    • /usr/local/share/x11docker

These steps as shell commands:

mkdir -p ~/.local/share/x11docker
cd ~/.local/share/x11docker
wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
chmod +x tini-static

systemd

--init=systemd: Runs init system systemd in container.

  • With cpgroupv1 this includes option --sharecgroup that shares /sys/fs/cgroup with container.
  • Example: x11docker --init=systemd --desktop x11docker/lxde

OpenRC

--init=openrc: Runs init system OpenRC in container.

  • cgroup usage is possible with option --sharecgroup.
  • Example: x11docker --init=openrc --desktop x11docker/fvwm

runit

--init=runit: Runs init system runit in container.

  • Example: x11docker --init=runit --desktop x11docker/enlightenment

SysVinit

--init=sysvinit: Runs init system SysVinit in container.

No init system

--init=none: Does not run any init system in container. Image command will be PID 1.

elogind

elogind is not an init system, but allows to run applications without systemd that otherwise would depend on systemd-logind.

  • x11docker automatically supports elogind in container with init system options --init=openrc|runit|sysvinit and with option --dbus=system.
    • elogind also needs option --sharecgroup.
  • Dependencies in image: elogind and libpam-elogind.

elogind cgroup setup

tl;dr: Run x11docker as root to not worry about anything.

  • If your host does not run with elogind (but e.g. with systemd), x11docker needs an elogind cgroup mountpoint at /sys/fs/cgroup/elogind. Run x11docker with root privileges to automatically create it.
  • Same goes for elogind on host and systemd in container; a cgroup mountpoint for systemd must be created. x11docker does this automatically if it runs as root.
  • If you want to manually set up the cgroup:
    • Create elogind cgroup mountpoint on a systemd host:
    mount -o remount,rw cgroup /sys/fs/cgroup  # remove write protection
    mkdir -p /sys/fs/cgroup/elogind
    mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind
    mount -o remount,ro cgroup /sys/fs/cgroup  # restore write protection
    
    • Create a systemd cgroup mountpoint on an elogind host:
    mkdir -p /sys/fs/cgroup/systemd
    mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd
    
Clone this wiki locally